LDAP
'Lightweight Directory Access Protocol' *'Port 389' (port 636 for LDAPS) *LDAP is a hierarchical database *Primarily used to store information about network users and groups. Need it for User-ID *Active Directory, Novell eDirectory and Open LDAP 'Common Object types:' DC = Domain Component *used by eDirectory and AD *Designed to represent a layer that maps to a part of DNS name space. O = Organization *Common in eDirectory *There can be only 1 in a tree, near the top. OU = Organizational Unit *Common in all LDAP deployments *Used to organize most other objects in the tree CN = Common Name *Includes users and groups which are leaf objects *in AD the default users container is a CN and not a OU *Unlike OU and DC, CN doesnt tell u anything about object type Active Directory - a contiguous set of DNS name space is called a Tree. A'' Forest'' is when here's multiple trees. eDirectory - the tree is the directory. 1 tree per eDirectory. 'MS Active Directory' Checking AD Domain Name for LDAP Server Profile configuration in a Windows server (device ->server profiles -> LDAP) Login to the AD server #Start -> Programs -> Active Directory Users and Computers #In the tree to the left, find the DNS Domain name of the servers. Right click and go to properties. #In the General Tab, "Domain Name" entry is the netbios domain name 'LDAP Profile Configuration:' Device -> Server Profiles -> LDAP Domain field is optional. In most cases can be left blank *The PAN firewall will automatically know the domain from the Bind DN. If the domain doesn't match the Bind DN, then the NetBios domain name should be configured in the Domain field, not the full domain. **EX: "pantaclab" and not "pantaclab.com" 'LDAP for Admininstrative access to the PAN:' #create LDAP server profile. #create Authentication profile. #Define the users. must create a user in both AD/LDAP and the PAN device. Unable to group users in AD/LDAP however the admins' LDAP passwords work for the PAN and change as they change their LDAP passwords. If the LDAP account is disabled, they will immediately lose access to the PAN. 'FIRST: (Device -> Server Profile -> LDAP -> Add)' #Create a new server profile and give it a locally significant name. Name will be case sensitive. #Check "Administrator Use Only" ##If left unchecked, able to use this LDAP profile for both admin and non-admin (VPN) access, but usually recommended to create two separate profiles for that even if it's agianst the same servers. #Add Servers. Add the name (also locally significant), IP address (or FQDN), and port (389 for standard LDAP or 636 for LDAPS). #'Domain Name'. In most cases its left BLANK. The PAN firewall will automatically know the domain from the BIND DN. ##IF the domain name doesn't match the BIND DN, then the NetBios domain name should be used and not the full domain and It will be added to the username when authentication is performed. ##EX: if domain is "paloaltonetworks.com", add "paloaltonetworks" as the domain. #'Type' of direectory (AD, e-Directory, Sun, or Other) #'Base =' Specify a base for searching for users. The device will usually suggest the base of the domain, but you can narrow that down. For example: if you have an OU that contains all of your admin users, and you know they will never live anywhere else, you should probably restrict this search to just that OU and its child containers. ##EX: DC=testserver,DC=org #'Bind DN =' (Distinguished Name) Specify an account to bind to LDAP for searches, the login name (DN) for the directory server.You can also specify it as "username@domain" format. You'll need to put a password in for the account as well. #By default the SSL checkbox is checked, do NOT forget to uncheck this if you're not using LDAPS. 'SECOND: (Device -> Authentication Profile)' #'Name' #'Allow List'. Leave the group to "all" since we are actuating who gets in and out later. #'Authentication'. Select LDAP. #'Server Profile'. Select the LDAP server profile created earlier. #'Login Attribute'. Enter the LDAP directory attribute that uniquely identifies the user. ##for MS Active Directory, the login attribute is sAMAccountName. #'Password Expiry Warning'. For LDAP as the auth method, enter the number of days prior to password expiration to send an automated message to the user. ##IF left blank, no warning is provided. 'THIRD: (Device -> Administrators)' ''define the users. #Name. Name of LDAP user #Authentication Profile. Select the Authentication Profile that was created. #Choose a '''role'. ##''Superuser'' = full access ##''Superuser (read-only)'' = Read-only access to the current device ##''Device Administrator = Full access to a selected device, except for defining new accounts or virtual systems ##''Device Administrator (read-only) = Read-only access to the current device ##''Vsys Admin = Full access to a selected virtual system on a specified device (if there are multiple enabled) #'Commit.' 'LDAP Commands' > ''show user ldap-server server all *If receive error for invalid credentials ''then check credentials in base and bind DN (Device -> Server Profiles -> LDAP) > ''less mp-log ldapd.log *IF incorrect base was configured, the output at the very bottom "number of entries returned" is 0